Master Your Information Assets

Categories

Meta

I was recently asked by the GSMA to undertake an independent study looking at the security of various LPWA (Low-Power Wide-Area) network technologies. I took on the project because I find it a very interesting topic; these types of network are targeted at IoT (Internet-of-Things) devices, an area I have been working on over the last couple of years with IoTUK and the IoT Security Foundation. One of the main challenges of the IoT space is in making trade-offs to accommodate low-power and low-cost devices, and security is one of the things that might be traded off.

Today we’ve launched a new web site, enigmamug.com, and an associated CafePress store. The idea is that you enter your name, or whatever other word(s) you might like on a mug, it creates a design in the style of the Enigma machine logo and you can then (if you like it!) buy a mug with that design from CafePress. We have other designs also in the store: Enigma machine pluboards, with or without the plugs and cables, which we think look pretty good wrapped around a mug.Read the rest of this entry »

Recently we’ve taken on a client with immense experience of IT product development but not so much experience with computer security. A report I am writing for them starts by defining terms, to avoid possible confusion; I thought I’d also write this article to discuss more generally why “threats”, “risks” and “vulnerabilities” deserve specific definitions in that context.Read the rest of this entry »

I don’t usually post Windows tips and tricks, but I thought this might be useful as I haven’t seen it mentioned anywhere else. Briefly, the Windows 10 Print to PDF support doesn’t allow custom page sizes as it comes, but there is a simple way to enable it.Read the rest of this entry »

An often neglected, but crucial, part of Bletchley Park’s work in World War II was the vast amount of data processing done using punched cards on Hollerith machines. The department which did this was called the “Freebornery”, at first located in Hut 7 (since demolished) and later in Block C (recently restored as the new visitor centre).

A few years ago I gave talks at Open Tech and Over the Air, including some mobile security ideas that phone manufacturers were unlikely to implement. One of those ideas was what I called “notarised call recording”, being a way to hold utility companies to account for what they promise you in telephone calls.

Having proved the concept using netcat, we need to add access control and make it accessible via a discoverable external address. The design is essentially the same, running the video capture command on the Pi and routing the output stream over IP to a remote client, but we use ssh (Secure SHell) as the transport to add authentication and encryption.

I had security concerns over installing a wireless webcam to keep an eye on our goldfish. Such things are available cheaply off the shelf, typically manufactured in China, but I’m not willing to put a device of questionable provenance on our Intranet, especially not with a direct channel out to a server in China.

I started thinking about using a Raspberry Pi and Skype as an alternative solution. As (most of) the software would be open source, that way I would only have to trust Microsoft and the NSA not to interfere with the Skype server ;-).

My Raspberry Pi camera module didn’t arrive until this week (the first production run sold out almost immediately back in May) and, unfortunately for the plan, Microsoft have turned off the ability to register a Skype developer account in the meantime :-(. Read the rest of this entry »

Last month I was pleased to attend the BSIMM Europe Open Forum. BSIMM is a model for assessing software security activities within an organisation; I have been following it since its first release in 2009, and over the last several months I’ve been able to use it in earnest at Visa Europe.

For me, the most interesting discussion at the forum was on presenting BSIMM assessment results in a visually compelling way. The BSIMM document uses spider charts, which hide potentially valuable information about activities at lower maturity levels. Sammy Migues presented a format he uses at Cigital, called “equalizer diagrams”, which reveal that information but lack the comparison with a benchmark.

I decided to ask Louise (the other half of Franklin Heath) about this, as data visualisation is one of her principal skills. We’ve come up with something I like to call a “DIP switch diagram”, which I will explain in this post. Read the rest of this entry »